The input argument to the End User Controlled Organization rule is the authenticating user’s view. Identity Manager expects the rule to return one or more organizations that the user logging in to the End User interface will control. Identity Manager expects the rule to return either a string (for a single organization) or a list (for multiple organizations).
To manage these objects, users need the End User Administrator capability. Users who are assigned the End User Administrator capability can view and modify the contents of the End User Controlled Organization rule. These users can also view and modify the object types specified in the EndUser capability.
The End User Administrator capability is assigned to the Configurator user by default. Any changes made to the list or to organizations returned by the evaluation of the End User Controlled Organization rule will not be reflected dynamically for logged in users. These users must log out and then log in again to see the changes.
If the End User Controlled Organization rule returns an invalid organization (for example, an organization that does not exist in Identity Manager), the problem will be logged in the System Log. To correct the problem, log in to the Administrator user interface and fix the rule.